Archived Blog
ICANN approves new laissez-faire TLD addition process
06.27.2008 - 12:00 PMAlright, the bad news.
ICANN today approved a three-year old proposal for the additional of new top-level domains (TLDs) to the Internet. You're at our Web site now, so you are already familiar with several established TLDs, such as .com and .net. In addition, you've probably encountered country-code TLDs (ccTLDs), such as .us and .jp. The proposal approved today will allow user-created TLDs - anything from .ebay to .alex - to be submitted for approval. This may sound like a splendid idea, but it is ripe with opportunities for abuse. Consider the following domains:
- websense.exe
- g.mail
- wedding.jpg
- pay.pal
Fortunately, our friends at ICANN are not completely oblivious to the security concerns, and have taken steps to implement several deterrents to would-be criminals and fraudsters. Unfortunately, where there is a will, there is a way. We're guaranteed to start seeing new categories of fraud as soon as these gTLDs begin to appear.
As outlined by the proposed evaluation process, there are four primary grounds for the denial of a gTLD application:
- Too Similar to Reserved Names or existing TLD?
The proposed TLD must pass a basic check against all existing TLDs and any reserved names. Details are scarce on what exactly a "reserved name" is, but hopefully it will include various file extensions (e.g., exe, pdf, js). To assist with the automatic identification of similarity with existing TLDs, ICANN commissioned the National Institute of Standards and Technology to create a tool. This tool, dubbed Compute Visual Similarity of TLDs, is available publically for experimentation. This should assist in the prevention of basic typo attacks such as ".C0M" (zero in place of the O). - Business/Technical Criteria Evaluation
The applicant must make a clear business case for use of the proposed TLD. In addition, the applicant must prove to be technically competent. It's not clear exactly what establishes technical competence, but I think we can safely assume that my mother will not be granted her own TLDs. Sorry, mom! - Public Objections
Finally, all applications are made public and anyone is allowed to submit their objections to a particular TLD. This places the onus of responsibility on the general public to prevent the majority of fraud cases. In addition, all applications are likely to be monitored heavily for trademark abuse... no .pepsi for me! :-(
Back in 2004, ICANN implemented an "Add Grace Period" (AGP) policy to the registration of new domains. This effectively allowed for a five-day trial period of any newly registered domain. Abuse of this policy almost immediately sky-rocketed as the practice of "domain tasting" took off. Basically, domain tasters will register millions of domains, fill them all with advertisements and then return all domains which do not generate enough traffic just before the five-day grace period expires.
Bob Parsons, of GoDaddy.com, explained the problem best back in 2006: http://www.bobparsons.tv/DomainKiting.html.
Here in Websense Security Labs, we monitor the registration of all new domains, and we can personally attest to the problem caused by abuse of the AGP policy. The policy is not only abused to commit click-fraud. Fast-flux malware authors use the policy to freely register thousands of domains for use by their malware, making the subsequent tracking and shutdown of these domains a daunting task.
That should all end shortly: ICANN today approved a new policy that puts a severe damper on these domain tasters:
"[no] refund for any domain name deleted during the AGP that exceeds 10% of its net new registrations in that month, or fifty domain names, whichever is greater"
Further reading:
http://www.icann.org/en/announcements/announcement-3-26jun08-en.htm
http://ap.google.com/article/ALeqM5gvve1Yb-5RVLc0GTkIwFT6flYwvAD91HRS580
Security Researcher: Alex Rice